Apple Releases Security Update 2009-004 for Mac OS X with DNS Fix [Update]

Apple released Security Update 2009-004 for Mac OS X on Wednesday, an update that addresses a security hole dealing with Mac OS X's built-in DNS server.

Software Update's patch notes say simply, "Security Update 2009-004 is recommended for all users and improves the security of Mac OS X," and refer users to the company's Security Update Web site, which has not yet been updated with information about the new patch.

The company's security e-mail notification service, however, has the details on this patch. According to that e-mail, the issue is known as CVE-2009-0696, which involved the DNS server in Mac OS X, which is included in both the normal and server versions of Mac OS X.

"By sending a maliciously crafted update message to the BIND DNS server," the patch notes said, "a remote attacker may be able to interrupt the BIND service. The issue affects servers which are masters for one or more zones, regardless of whether they accept updates. BIND is included with Mac OS X and Mac OS X Server but it is not enabled by default."

The notes added, "This update addresses the issue by properly rejecting messages with a record of type 'ANY' where an assertion would previously have been raised."

The patch is a 10.1MB download for Mac OS X 10.5.8. A version is available for Mac OS X 10.4.11, as well. We will update this article with additional information once it is available.

A restart is required for installation.

[Update: The article was updated with details on the security fix included in the patch.]